For tenant workloads to access the public internet, their private, internal addresses must be translated into public addresses that can be used on the Internet. Unlike the Destination NAT in Section 5.1.1, Service Provider Managed Addressing, when the outbound connection to the internet needs its source IP address changing, this NAT process is more accurately know as Source NAT (SNAT). A Source NAT is a 1:1 mapping between the IP address used by the device connecting to the internet and a suitable internet address assigned to that device. This 1:1 mapping is typically necessary when the device in question requires unsolicited inbound connections to be able to reach it, such as a web server, or email transfer host.

However, often one or more devices in a solution might require access to the internet but do not require unsolicited inbound access from the internet. These can be application servers which connect to a source of data or updates on the Internet, but should not receive inbound connections. For cases such as this, it is possible to “hide” many devices behind a single internet IP address. Each device’s outbound connection has its source IP address changed, often to the interface address of the device carrying out the translation, and the connection’s source TCP or UDP “port” number changed to a randomly selected number whose value is tracked in a connection table to allow the device to deliver the inbound half of the connection back to the correct, originating host. As both the source IP address and next layer protocol port address are both changed, this version of NAT is sometimes known as Port NAT (PNAT), or more commonly, Port Address Translation (PAT).

The following figure revisits the NAT diagram from Figure 18, but this time looking at outbound connections.

 

As noted in Section 5.3.1, Shared Multitenant External Network, the Edge Services Gateway must have its interface address sub-allocated to itself before the address can be used for outbound PAT.